Haha we're going around in circles a bit here. Let's level set here since I see that page has changed a bit since I last looked, so I might not be saying this correctly.
The Internet traffic section under Flow Preferences is used to control which WAN interface Internet destined traffic egresses. This section does not impact traffic that is sent over the SD-WAN overlay (AutoVPN tunnels). Here you can override the system defaults for forwarding Internet traffic by selecting a specific interface, or load balance over both.
This section has no effect on traffic being sent through an AutoVPN tunnel.
The VPN Traffic section under SD-WAN policies is used to control traffic that is forwarded over the SD-WAN Overlay (AutoVPN Tunnels). This section allows you to specify an SLA to attach to the traffic type and make dynamic forwarding decisions based on the conditions of the network. This section aligns with what people think of as SD-WAN. Traffic that matches rules in this section can be monitored on the VPN status page as I mentioned previously.
This section has no effect on traffic being sent directly to the Internet (local breakout).
The decision on whether to route traffic into the overlay or direct to Internet is based on the routing table of the MX, not by policies in either of these sections. If the AutoVPN configuration is such that the destination network is routed via an AutoVPN partner then traffic is routed into AutoVPN, and then the SD-WAN policies are applied as applicable. However, if no matching route is found traffic will be sent outside of AutoVPN direct to the Internet, using the Internet Traffic Flow Preferences if applicable.
What I'm getting from your posts is that you are trying to use the SD-WAN policies VPN traffic section to apply policy to Internet traffic, which won't work. Each section has its specific purpose and configuring a rule in one section for the other traffic type will have no effect.
Hey @swifty,
You can monitor the policy under Security & SD-WAN > VPN Status. The lower section of that page contains "Uplink Decisions" where you can see which flows have been mapped to which uplink, and the reason why they were mapped there.
Ahh, gotcha. Yeh I assumed you meant AutoVPN traffic. Unfortunately, there is no way to monitor traffic forwarding that's being done through the Internet Flow Preferences section that I'm aware of, at least not in a meaningful way. You can see how much traffic each uplink is passing on the Uplink tab of the Appliance Status page, but that's about it. If you just want to test it to confirm it's working you can create a rule for a device and visit What is My IP to verify that you have egressed the correct WAN interface, but I know that's really not what you're asking. 😞
Haha we're going around in circles a bit here. Let's level set here since I see that page has changed a bit since I last looked, so I might not be saying this correctly.
The Internet traffic section under Flow Preferences is used to control which WAN interface Internet destined traffic egresses. This section does not impact traffic that is sent over the SD-WAN overlay (AutoVPN tunnels). Here you can override the system defaults for forwarding Internet traffic by selecting a specific interface, or load balance over both.
This section has no effect on traffic being sent through an AutoVPN tunnel.
The VPN Traffic section under SD-WAN policies is used to control traffic that is forwarded over the SD-WAN Overlay (AutoVPN Tunnels). This section allows you to specify an SLA to attach to the traffic type and make dynamic forwarding decisions based on the conditions of the network. This section aligns with what people think of as SD-WAN. Traffic that matches rules in this section can be monitored on the VPN status page as I mentioned previously.
This section has no effect on traffic being sent directly to the Internet (local breakout).
The decision on whether to route traffic into the overlay or direct to Internet is based on the routing table of the MX, not by policies in either of these sections. If the AutoVPN configuration is such that the destination network is routed via an AutoVPN partner then traffic is routed into AutoVPN, and then the SD-WAN policies are applied as applicable. However, if no matching route is found traffic will be sent outside of AutoVPN direct to the Internet, using the Internet Traffic Flow Preferences if applicable.
What I'm getting from your posts is that you are trying to use the SD-WAN policies VPN traffic section to apply policy to Internet traffic, which won't work. Each section has its specific purpose and configuring a rule in one section for the other traffic type will have no effect.
@swifty wrote:
In fact I was successfully using the SD-WAN, VPN traffic, Uplink selection policyto send particular traffic down WAN2.
(otherwise with WAN1 as the primary uplink, WAN2 would never get a look in)
So are you saying you're using the VPN Traffic section for Internet breakout traffic?
Yeh that's odd. Maybe things don't work the way I think they do?
Are you doing full tunnel or split tunnel?
